Since I no longer use Apache for anything this guide is probably outdated please keep that in mind.
Here is a little example of how to setup suEXEC in Apache, feel free to comment and help make it better.
If you see something wrong then please not just post only what is wrong but try and explain it so everyone is able to learn from it.
In this guide I will use the user name "etherus" and the group name "ulyaoth" please change this on your machine to your needs. The ip that I will use in this example is "126.96.36.199" this should be changed to the ip address you are going to use, and as last I used throughout this example the name "ulyaoth" as the website and directory name of course this should be changed to something that will fit for your situation.
This guide was tested and created on Fedora 20.
What is Suexec
Apache suEXEC is a feature of the Apache Web server. It allows users to run CGI and SSI applications as a different user - normally, all web server processes run as the default web server user (often wwwrun, apache or nobody). The suEXEC feature consists of a module for the web server and a binary executable which acts as a wrapper.
If a client requests a CGI and suEXEC is activated, it will call the suEXEC binary which then wraps the CGI scripts and executes it under the user account of the server process (virtual host) defined in the virtual host directive.
More information can be found at the following websites:
suEXEC 2.4 Documentation
suEXEC 2.2 Documentation
suEXEC 1.3 Documentation
Before you start you will have to prepare a few things such as you will need to create a user name and a separate group name for every website you plan to add.
Step 1: Create the group "ulyaoth"
Step 2: Create the user "etherus"Code:$ groupadd ulyaoth
Step 3: Set a password for the user "etherus"Code:$ useradd -s /sbin/nologin etherus
Step 4: Add the user "etherus" into the group "ulyaoth"Code:$ passwd etherus
This is a very basic user/group creation, and there should be plenty of better examples on google or any other search engine.Code:$ useradd -g etherus ulyaoth
Now that we have created the user and placed him in the correct group it is time to create the directories we will need for our website. I will use the standard "www" directory in Fedora for this example however you will not have to do this you are able to create a separate partition and create all the directories there.
Step 5: Create the directory "ulyaoth" inside "/var/www"
Step 6: Create the directory "logs" inside "/var/www/ulyaoth/" (This will contain the log files that your website will generates)Code:$ mkdir -p /var/www/ulyaoth
Step 7: Create the directory "www" inside "/var/www/ulyaoth" (This will contain the directories of your website)Code:$ mkdir -p /var/www/ulyaoth/logs
Step 8: Create the directory "html" inside "/var/www/ulyaoth/www" (This will contain the files for your website)Code:$ mkdir -p /var/www/ulyaoth/www
Step 9: Create the directory "cgi-bin" inside "/var/www/ulyaoth/www" (This will contain any scripts your website will use)Code:$ mkdir -p /var/www/ulyaoth/www/html
This should be all the directories you will need to have to run a website, all that is left now is to change the permission and user/group on those folders.Code:$ mkdir -p /var/www/ulyaoth/www/cgi-bin
Step 10: Change the user and group that own the directory "ulyaoth" and all the subdirectories
Step 11: Change the permission on the ulyaoth directory to 664 and add +x.Code:$ chown -R etherus:ulyaoth /var/www/ulyaoth
Step 12: Change the permission on the logs directory to 664.Code:$ chmod 664 /var/www/ulyaoth $ chmod +x /var/www/ulyaoth
Step 13: Change the permission on the www directory to 664 and add +x.Code:$ chmod 664 /var/www/ulyaoth/logs
Step 14: Change the permission on the cgi-bin directory to 775 and add +x.Code:$ chmod 664 /var/www/ulyaoth/www $ chmod +x /var/www/ulyaoth/www
Step 15: Change the permission on the html directory to 664 and add +x.Code:$ chmod 755 /var/www/ulyaoth/www/cgi-bin $ chmod +x /var/www/ulyaoth/www/cgi-bin
Now that we have prepared everything on the server to accept suEXEC all that is left is editing our httpd.conf so please open this file and add the following into it.Code:$ chmod 664 /var/www/ulyaoth/www/html $ chmod +x /var/www/ulyaoth/www/html
Step 16: Add the code below to your vhost.conf and change everything to your needs.
Now restart your Apache and you have your website running in suEXEC.Code:<VirtualHost *:80> ServerName Ulyaoth DocumentRoot /var/www/html DirectoryIndex index.html index.html index.shtml index.php SuexecUserGroup etherus ulyaoth ServerAdmin email@example.com ServerName ulyaoth.asia ServerAlias www.ulyaoth.asia DocumentRoot /var/www/ulyaoth/www/html ErrorLog /var/www/ulyaoth/logs/error_log CustomLog /var/www/ulyaoth/logs/access_log common DirectoryIndex index.html index.htm index.shtml index.php ScriptAlias /cgi-bin/ /var/www/ulyaoth/www/cgi-bin/ <Location /cgi-bin> AllowOverride none Order allow,deny Allow from all Options +execCGI AddHandler cgi-script .cgi .pl </Location> </VirtualHost>
If you run Selinux then errors may arise you probably will have to execute the following commands:
If you do not have semanage installed you can run the following command on a yum based Linux distro:Code:$ chcon -R -t httpd_sys_script_exec_t /var/www/ulyaoth/www/cgi-bin $ chcon -R -t httpd_log_t /var/www/ulyaoth/logs $ setsebool -P httpd_enable_cgi=1 $ setsebool -P httpd_can_network_connect=1 $ semanage fcontext -a -t httpd_sys_content_t "/var/www/ulyaoth/www/html(/.*)?"
This guide may contain many errors and mistakes, I just did this for learning purpose and sharing this with everyone so maybe someone else is able to learn from it.Code:$ yum -y install policycoreutils-python
Again if I did make mistakes or you know how to do something better that you can point this out by adding a reply, I will then update the topic so we all are able to learn from it.